[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 70: Clarify relationship between extensibility model and policy intersection
I think we discussed this a little on the call, but my understanding is that the service would publish a policy along the lines of; <sp:SupportingToken> <wsp:Policy> <sp:UserNameToken> <wsp:Policy> <orcl:IncludesPassword wsp:Optional='true' /> </wsp:Policy> </sp:UserNameToken> </wsp:Policy> <sp:SupportingToken> which is effectively two policy alternatives, one with and one without the orcl:IncludesPassword assertion. Gudge > -----Original Message----- > From: Marc Goodner [mailto:mgoodner@microsoft.com] > Sent: 17 May 2006 14:56 > To: Prateek Mishra; ws-sx@lists.oasis-open.org > Cc: ashok Malhotra; ramana Turlapati > Subject: [ws-sx] Issue 70: Clarify relationship between > extensibility model and policy intersection > > Recorded as issue 70. > > Marc Goodner > Technical Diplomat > Microsoft Corporation > Tel: (425) 703-1903 > Blog: http://spaces.msn.com/mrgoodner/ > > -----Original Message----- > From: Prateek Mishra [mailto:prateek.mishra@oracle.com] > Sent: Tuesday, May 16, 2006 6:50 AM > To: ws-sx@lists.oasis-open.org > Cc: Marc Goodner; ashok Malhotra; ramana Turlapati > Subject: [ws-sx] NEW ISSUE: Clarify relationship between extensibility > model and policy intersection > > *PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL > THE ISSUE IS ASSIGNED A NUMBER. * > > *The issues coordinators will notify the list when that has occurred.* > > * * > > Protocol: ws-sp > > docs.oasis-open.org/ws-sx/200512/ws-securitypolicy > > Artifact: policy > > > > Type: > > design > > > > Title: > > Clarify relationship between extensibility model and policy > intersection > > > > Description: > > Section 11 of the WS-SecurityPolicy draft provides clear guidance on > extending existing policy assertions or defining new ones. > However, the policy assertion matching rules (Section 3.1.3) > raise some > questions about the use of assertions with extensions, specifically > lines 364-365: > > [quote] > An assertion with an empty nested policy does not intersect with the > same assertion without nested policy. > [quote] > > If a server offered a service with policy expression: > > > <sp:SupportingToken> > <wsp:Policy> > <sp:UserNameToken/> > </wsp:Policy> > <sp:SupportingToken> > > <> > > and the client policy includes nested policy assertion <orcl: > IncludesPassword> as in: > > <sp:SupportingToken> > <wsp:Policy> > <sp:UserNameToken> > <wsp:Policy><orcl:IncludesPassword></wsp:Password> > </wsp:Policy> > <sp:SupportingToken> > > Then should not the two policy expressions match? As things stand, the > two expressions will not match even though the client is fully able to > satisfy the server's expectations. > > > Related issues: > > > > Proposed Resolution: > > It seems to me there are two outcomes here: > > (1) Retain current model but add text to Section 11 explaining the > relationship between extensibility amd matching. Personally I > find this > troubling, as it suggests that we will often have false > negatives during > > policy matching. > > (2) Extend the current model to accommodate a more refined notion of > policy matching. I can make a proposal but it may be better to > first get a sense of the TCs position on this issue. > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]